chore: cleanup obsolete tests and consolidate mocks

Removed obsolete test for database sync behavior and consolidated to mockery v3 mocks package.

Changes:
- Removed TestSyncMultipleEnforcers (tested database sync, no longer relevant with in-memory enforcer)
- Migrated casbackend_test.go to use mocks package instead of mocks_test.go
- Deleted pkg/biz/mocks_test.go (replaced by pkg/biz/mocks/ package)
- Added mockery v3 and API token policies notes to CLAUDE.md

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>

Author: migmartri

CLAUDE.md

@@ -217,9 +217,12 @@ The project heavily uses code generation:
 - **Wire**: Dependency injection
 - **Ent**: ORM models and queries
 - **Buf**: Protobuf tooling and validation
+- **Mockery v3**: Test mocks - add interface to `.mockery.yml`, run `mockery` from that directory
 
 Always run `make generate` after modifying .proto files or Ent schemas.
 
+**API Token Policies**: If modifying `DefaultAuthzPolicies` in `pkg/biz/apitoken.go`, create a migration to update existing tokens' `policies` field - they're stored in DB, not loaded dynamically.
+
 ## Contract-Based Development
 
 Workflow Contracts define the structure and requirements for CI/CD attestations. They specify what materials must be collected and policies that must be evaluated.

app/controlplane/pkg/authz/authz_test.go

@@ -24,124 +24,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-
-// simulate 2 enforcers on the same database (by acting on the same file enforcer)
-func TestSyncMultipleEnforcers(t *testing.T) {
-	testCases := []struct {
-		name              string
-		newEnforcerConfig *Config
-		expectErr         bool
-		numPolicies       int
-		numSubjects       int
-		numAdminActions   int
-	}{
-		{
-			name:              "empty config",
-			newEnforcerConfig: &Config{},
-			expectErr:         false,
-			numPolicies:       3,
-			numSubjects:       2,
-			numAdminActions:   2,
-		},
-		{
-			name: "new actions on different resources for same roles",
-			newEnforcerConfig: &Config{
-				ManagedResources: []string{ResourceGroup},
-				RolesMap: map[Role][]*Policy{
-					RoleAdmin: {{
-						Resource: ResourceGroup,
-						Action:   ActionCreate,
-					}},
-				},
-			},
-			expectErr:       false,
-			numPolicies:     4,
-			numSubjects:     2,
-			numAdminActions: 3,
-		},
-		{
-			name: "new actions on different resources for new roles",
-			newEnforcerConfig: &Config{
-				ManagedResources: []string{ResourceGroup},
-				RolesMap: map[Role][]*Policy{
-					RoleProjectAdmin: {{
-						Resource: ResourceGroup,
-						Action:   ActionCreate,
-					}},
-				},
-			},
-			expectErr:       false,
-			numSubjects:     3,
-			numPolicies:     4,
-			numAdminActions: 2,
-		},
-		{
-			name: "reset admin actions on same resource, collision",
-			newEnforcerConfig: &Config{
-				ManagedResources: []string{ResourceWorkflow},
-				RolesMap: map[Role][]*Policy{
-					RoleAdmin: {}, // this should remove all admin actions from enforcer
-				},
-			},
-			expectErr:       false,
-			numSubjects:     1,
-			numPolicies:     1,
-			numAdminActions: 0,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			e, c := testEnforcer(t)
-			defer c.Close()
-
-			// initial import
-			err := syncRBACRoles(e, &Config{
-				ManagedResources: []string{ResourceWorkflow, ResourceWorkflowRun},
-				RolesMap: map[Role][]*Policy{
-					RoleAdmin: {{
-						Resource: ResourceWorkflow,
-						Action:   ActionCreate,
-					}, {
-						Resource: ResourceWorkflow,
-						Action:   ActionDelete,
-					}},
-					RoleOrgMember: {{
-						Resource: ResourceWorkflowRun,
-						Action:   ActionList,
-					}},
-				},
-			})
-			require.NoError(t, err)
-
-			// sync with test case config
-			err = syncRBACRoles(e, tc.newEnforcerConfig)
-			if tc.expectErr {
-				assert.Error(t, err)
-				return
-			}
-			assert.NoError(t, err)
-
-			policies, err := e.GetPolicy()
-			assert.NoError(t, err)
-			assert.Len(t, policies, tc.numPolicies)
-
-			adminCount := 0
-			for _, r := range policies {
-				if r[0] == string(RoleAdmin) {
-					adminCount++
-				}
-			}
-			assert.Equal(t, tc.numAdminActions, adminCount)
-
-			subs, err := e.GetAllSubjects()
-			assert.NoError(t, err)
-			assert.Len(t, subs, tc.numSubjects) // We need to count the Viewer role
-		})
-	}
-}
-
-
 func TestSyncRBACRoles(t *testing.T) {
 	e, closer := testEnforcer(t)
 	defer closer.Close()

app/controlplane/pkg/biz/casbackend_test.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
+	bizMocks "github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz/mocks"
 	backends "github.com/chainloop-dev/chainloop/pkg/blobmanager"
 	blobM "github.com/chainloop-dev/chainloop/pkg/blobmanager/mocks"
 	"github.com/chainloop-dev/chainloop/pkg/credentials"
@@ -36,7 +37,7 @@ type casBackendTestSuite struct {
 	validUUID       uuid.UUID
 	invalidUUID     string
 	useCase         *biz.CASBackendUseCase
-	repo            *biz.MockCASBackendRepo
+	repo            *bizMocks.CASBackendRepo
 	credsRW         *credentialsM.ReaderWriter
 	backendProvider *blobM.Provider
 }
@@ -277,7 +278,7 @@ func (s *casBackendTestSuite) resetMock() {
 func (s *casBackendTestSuite) SetupTest() {
 	s.validUUID = uuid.New()
 	s.invalidUUID = "deadbeef"
-	s.repo = biz.NewMockCASBackendRepo(s.T())
+	s.repo = bizMocks.NewCASBackendRepo(s.T())
 	s.credsRW = credentialsM.NewReaderWriter(s.T())
 	s.backendProvider = blobM.NewProvider(s.T())
 	var err error